Systemanalyse und -beratung

More often than not, automation modules from third parties greatly enhance operator productivity, but at the same time prevent gaining a proper understanding of a matter.
For a deep dive, I regularly propose to switch to a shell (even the ksh or tcsh) and just mill through it.

The most frequent reasons for data loss are (in roughly that order) user stupidity, malicious software, physical theft, coffee poured over disks (a subset of user stupidity worh mentioning) and actual hardware failure.
When ensuring against the first two with ZFS snapshots, replicating actual snapshots to backup machines may be preferable to rsync-walking large filesystems on slow storage.
zrep is a program which may facilitate that process considerably.

When using the LXD OS-container, either for testing purposes or as regular means for environment isolation, special requirements need to be met in non-standard ways.
Finding out how to satisfy the mlock-requirement when deploying Hashicorp’s Vault turned out to be such a non-standard way, under-documented, barely hinted at, difficult to find.

Secure distribution of secrets is a problem affecting many who run automatic provisioning systems up to a point that the (re-)distribution of secrets to stages and/or environments is the major obstacle to (not even necessarily rapid) deployment.

For fear of an in(de)finite rant-loop, I do not wish to delve into the security impacts resulting directly therefrom - think of secrets compromised but not revoked because “there is no room for twenty-one story points in the next three sprints” - but instead suggest a methodical and structured way out.

With examples how to consume PKI certificates from Hashicorp’s Vault generically and by leveraging Kubernetes primitives, I hope to introduce the broader principles more stringently than in many blog posts which focus on usage in a specific scenario.